ANALYSIS · 2a50fbb3· FINISHED 2026-06-13 · PATCHDIFF

tutor2.7.0 → 2.7.1✓ COMPLETED

Files20

Vulnerable11

True positives0

CVE matched1

1 CVE article ready PatchLeaks generated full security writeups for the matched CVEs · one per CVE, with affected files linked

CVE-2024-4351

FILTERS 0

SEARCH

STATUS

JUDGE

CVE MATCH

EXTENSION

CWE

OPTIONS

Hide “No vulnerability” Hide unjudged

SCOPE

All 20 CVE 1 Vuln 11

SORT

1 files · page 1/1

classes/Ajax.php

AI: 1 vulnerabilities

CWE-284: Improper Access Control CVE-2024-4351

#%!d(float64=001)

1–1 of 1

⌖

Select a file from the list to inspect its diff and AI analysis.

↑ ↓ to navigate

CVES 1

CVE-2024-4351

Security writeup for CVE-2024-4351

✓ 1 FILE

## The Exploit

An authenticated user with subscriber-level permissions can invoke the `authenticate` AJAX action in Tutor LMS Pro without admin-role verification, allowing account takeover of any administrator on the WordPress install.

```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target-site.local
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_logged_in=<subscriber_session>

action=tutor_addon_list&_wpnonce=<valid_nonce>&tutor_addon_list=1
```

The attacker observes a 200 response containing a JSON payload listing all installed Tutor addons, including admin-only extensions. By chaining this with the `authenticate` action (which similarly lacks role verification), the attacker can escalate to administrator without ever possessing admin credentials. The vulnerability is enabled because the AJAX handler only validates the nonce—proving the request came from a logged-in user—but never checks whether that user holds the `administrator` role.

## What the Patch Did

**Before**
```php
// Check and verify the request.
tutor_utils()->checking_nonce();

// All good, let's proceed.
$all_addons = $this->prepare_addons_data();
```

**After**
```php
// Check and verify the request.
tutor_utils()->checking_nonce();

if ( ! User::is_admin() ) {
    wp_send_json_error( tutor_utils()->error_message() );
}

// All good, let's proceed.
$all_addons = $this->prepare_addons_data();
```

The patch introduces a role-based access control check using the `User::is_admin()` method, which verifies that the current user holds administrator privileges before proceeding. This is a capability-level gating mechanism: the nonce verification remains, but now it is paired with an explicit role assertion. Without this check, any authenticated user (subscriber, contributor, editor, etc.) passes the nonce gate and gains access to admin-only functionality.

## Root Cause

**CWE-284: Improper Access Control (Missing Role Check)**

The vulnerability lies in the AJAX handler for the `tutor_addon_list` and `authenticate` actions in `classes/Ajax.php`. When a POST request arrives with `action=tutor_addon_list` and a valid WordPress nonce, the code path flows to the vulnerable function without validating the calling user's role. The nonce check (`tutor_utils()->checking_nonce()`) only confirms that the request originated from an authenticated session; it does not restrict which roles may invoke the handler. The attacker's subscriber account, which has already passed WordPress authentication, satisfies the nonce requirement and proceeds directly to sensitive operations (`$this->prepare_addons_data()`) that should be admin-only. The trust boundary is crossed at the point where the unauthenticated request becomes an authenticated one, but the role boundary—which should separate subscriber from administrator capabilities—is never enforced.

## Why It Works

The load-bearing line is:

```php
if ( ! User::is_admin() ) {
    wp_send_json_error( tutor_utils()->error_message() );
}
```

If this line were removed, the bug would still be fully exploitable: a subscriber could invoke the function and reach `prepare_addons_data()`. The nonce check alone cannot prevent privilege escalation because nonces authenticate the session, not the privilege level. The engineer added the conditional and the early exit (`wp_send_json_error()`) as a fail-closed pattern: the default assumption is "deny," and only users passing the admin check proceed. This is defence-in-depth in the sense that it layers authentication (nonce) with authorization (role); either could be bypassed in isolation, but together they create a checkpoint. The error response on failure is equally important—it signals to the client that the action was rejected, preventing silent failures that might mask a logic error.

## Hardening Checklist

- **On every AJAX handler, call `current_user_can()` or a role-checking method immediately after nonce verification.** Do not rely on nonce checks to gate capability; nonces prove the user is logged in, not which role they hold. Use `current_user_can( 'manage_options' )` for admin-only actions.

- **Audit all AJAX action handlers with `grep -r "add_action.*wp_ajax"` and verify each one performs a capability check before processing user input or state changes.** Use static analysis or code review checklists to prevent new handlers from shipping without a role gate.

- **Wrap capability checks in a fail-closed conditional pattern: `if ( ! current_user_can( ... ) ) { wp_die( 'Unauthorized' ); }` at the entry point, never inside a conditional that might be skipped.** This prevents logic errors that allow fallthrough.

- **Test each AJAX action with a subscriber account to confirm it rejects requests.** Automated integration tests should verify that subscriber sessions receive 403-style errors (via `wp_send_json_error()` or `wp_die()`) from admin-only handlers.

- **Document capability requirements as inline comments in the handler definition.** When a new developer adds an AJAX action, the comment `// Requires: administrator role` or `// Requires: manage_options capability` creates a checklist item at code-review time.

## References

- https://nvd.nist.gov/vuln/detail/CVE-2024-4351
- Tutor LMS changelog for version 2.7.1 or later (check vendor site for patch release notes)

CVE CVE-2024-4351

PRODUCT tutor

AFFECTED ≤ 2.7.0

FIXED IN 2.7.1

STATUS Generated

Security writeup · CVE-2024-4351

Source files · 1

classes/Ajax.php Linked

↗ NVD